Added TLSConfiguration.getNWProtocolTLSOptions()

Supports a very basic set of options at the moment.
- min/max TLS version
- disabling certificate verification

Author: adam-fowler

Sources/AsyncHTTPClient/NIOTransportServices/TLSConfiguration.swift

@@ -0,0 +1,127 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the AsyncHTTPClient open source project
+//
+// Copyright (c) 2018-2020 Apple Inc. and the AsyncHTTPClient project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of AsyncHTTPClient project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+#if canImport(Network)
+
+import Foundation
+import Network
+import NIOSSL
+import NIOTransportServices
+
+internal extension TLSVersion {
+    /// return Network framework TLS protocol version
+    var nwTLSProtocolVersion: tls_protocol_version_t {
+        switch self {
+        case .tlsv1:
+            return .TLSv10
+        case .tlsv11:
+            return .TLSv11
+        case .tlsv12:
+            return .TLSv12
+        case .tlsv13:
+            return .TLSv13
+        }
+    }
+}
+
+@available (macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *)
+internal extension TLSConfiguration {
+    
+    /// Dispatch queue used by Network framework TLS to control certificate verification
+    static var tlsDispatchQueue = DispatchQueue(label: "TLSDispatch")
+
+    /// create NWProtocolTLS.Options for use with NIOTransportServices from the NIOSSL TLSConfiguration
+    ///
+    /// - Parameter queue: Dispatch queue to run `sec_protocol_options_set_verify_block` on.
+    /// - Returns: Equivalent NWProtocolTLS Options
+    func getNWProtocolTLSOptions() -> NWProtocolTLS.Options {
+        let options = NWProtocolTLS.Options()
+        
+        // minimum TLS protocol
+        if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+            sec_protocol_options_set_min_tls_protocol_version(options.securityProtocolOptions, self.minimumTLSVersion.nwTLSProtocolVersion)
+        }
+        
+        // maximum TLS protocol
+        if let maximumTLSVersion = self.maximumTLSVersion {
+            if #available(macOS 10.15, iOS 13.0, tvOS 13.0, watchOS 6.0, *) {
+                sec_protocol_options_set_max_tls_protocol_version(options.securityProtocolOptions, maximumTLSVersion.nwTLSProtocolVersion)
+            } else {
+                precondition(self.maximumTLSVersion != nil, "TLSConfiguration.maximumTLSVersion is not supported")
+            }
+        }
+
+        // application protocols
+        if self.applicationProtocols.count > 0 {
+            preconditionFailure("TLSConfiguration.applicationProtocols is not supported")
+        }
+        /*for applicationProtocol in self.applicationProtocols {
+            applicationProtocol.utf8.withContiguousStorageIfAvailable { buffer in
+                guard let opaquePointer = OpaquePointer(buffer.baseAddress) else { return }
+                let int8Pointer = UnsafePointer<Int8>(opaquePointer)
+                sec_protocol_options_add_tls_application_protocol(options.securityProtocolOptions, int8Pointer)
+            }
+        }*/
+
+        // the certificate chain
+        if self.certificateChain.count > 0 {
+            preconditionFailure("TLSConfiguration.certificateChain is not supported")
+        }
+        
+        // cipher suites
+        if self.cipherSuites.count > 0 {
+            //preconditionFailure("TLSConfiguration.cipherSuites is not supported")
+        }
+        
+        // key log callback
+        if let _ = self.keyLogCallback {
+            preconditionFailure("TLSConfiguration.keyLogCallback is not supported")
+        }
+        
+        // private key
+        if let _ = self.privateKey {
+            preconditionFailure("TLSConfiguration.privateKey is not supported")
+        }
+        
+        // renegotiation support key is unsupported
+        
+        // trust roots
+        if let trustRoots = self.trustRoots {
+            guard case .default = trustRoots else {
+                preconditionFailure("TLSConfiguration.trustRoots != .default is not supported")
+            }
+        }
+        
+        switch self.certificateVerification {
+        case .none:
+            // add verify block to control certificate verification
+            sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
+                //let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
+                //var error: CFError?
+                //if SecTrustEvaluateWithError(trust, &error) {                
+                sec_protocol_verify_complete(true)
+            }, TLSConfiguration.tlsDispatchQueue)
+
+        case .noHostnameVerification:
+            precondition(self.certificateVerification != .noHostnameVerification, "TLSConfiguration.certificateVerification = .noHostnameVerification is not supported")
+
+        case .fullVerification:
+            break
+        }
+
+        return options
+    }
+}
+
+#endif

Sources/AsyncHTTPClient/Utils.swift

@@ -2,7 +2,7 @@
 //
 // This source file is part of the AsyncHTTPClient open source project
 //
-// Copyright (c) 2018-2019 Apple Inc. and the AsyncHTTPClient project authors
+// Copyright (c) 2018-2020 Apple Inc. and the AsyncHTTPClient project authors
 // Licensed under Apache License v2.0
 //
 // See LICENSE.txt for license information
@@ -67,46 +67,8 @@ extension ClientBootstrap {
     }
 }
 
-// Used by temporary code below
-let tlsDispatchQueue = DispatchQueue(label: "TLSDispatch")
-
 extension NIOClientTCPBootstrap {
 
-    // TEMPORARY: This is temporary code and an extended version of this should really be in NIOTransportServices. But this allows us to run tests and get results back
-    // for the TLS tests
-    #if canImport(Network)
-    @available (macOS 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *)
-    fileprivate static func getTLSOptions(tlsConfiguration: TLSConfiguration?, queue: DispatchQueue) -> NWProtocolTLS.Options {
-        guard let tlsConfiguration = tlsConfiguration else { return .init() }
-        let options = NWProtocolTLS.Options()
-        
-        sec_protocol_options_set_verify_block(options.securityProtocolOptions, { (sec_protocol_metadata, sec_trust, sec_protocol_verify_complete) in
-            let trust = sec_trust_copy_ref(sec_trust).takeRetainedValue()
-            
-            var error: CFError?
-            if SecTrustEvaluateWithError(trust, &error) {
-                sec_protocol_verify_complete(true)
-            } else {
-                // check error
-                var errorCode: CFIndex = 0
-                if let userInfo = CFErrorCopyUserInfo(error) {
-                    let userInfoDictionary = userInfo as NSDictionary
-                    let underlyingError = userInfoDictionary[kCFErrorUnderlyingErrorKey!] as! CFError
-                    errorCode = CFErrorGetCode(underlyingError)
-                }
-                if tlsConfiguration.certificateVerification == .none ||
-                    (tlsConfiguration.certificateVerification == .noHostnameVerification && errorCode == errSecNotTrusted) {
-                    sec_protocol_verify_complete(true)
-                } else {
-                    sec_protocol_verify_complete(false)
-                }
-            }
-        }, queue)
-          
-        return options
-    }
-    #endif
-    
     /// create a TCP Bootstrap based off what type of `EventLoop` has been passed to the function.
     fileprivate static func makeBootstrap(
         on eventLoop: EventLoop,
@@ -116,15 +78,19 @@ extension NIOClientTCPBootstrap {
     ) throws -> NIOClientTCPBootstrap {
         let bootstrap: NIOClientTCPBootstrap
         #if canImport(Network)
+        // if eventLoop is compatible with NIOTransportServices create a NIOTSConnectionBootstrap
         if #available(OSX 10.14, iOS 12.0, tvOS 12.0, watchOS 6.0, *), eventLoop is NIOTSEventLoop {
             let tsBootstrap = NIOTSConnectionBootstrap(group: eventLoop).channelOption(NIOTSChannelOptions.waitForActivity, value: false)
+            let tlsConfiguration = configuration.tlsConfiguration ?? TLSConfiguration.forClient()
+            
+            // if we have a proxy and require TLS then use NIOSSL tls support
             if configuration.proxy != nil, requiresTLS {
-                let tlsConfiguration = configuration.tlsConfiguration ?? TLSConfiguration.forClient()
                 let sslContext = try NIOSSLContext(configuration: tlsConfiguration)
                 let hostname = (!requiresTLS || host.isIPAddress) ? nil : host
                 bootstrap = try NIOClientTCPBootstrap(tsBootstrap, tls: NIOSSLClientTLSProvider(context: sslContext, serverHostname: hostname))
             } else {
-                let parameters = NIOClientTCPBootstrap.getTLSOptions(tlsConfiguration: configuration.tlsConfiguration, queue: tlsDispatchQueue)
+                // create NIOClientTCPBootstrap with NIOTS TLS provider
+                let parameters = tlsConfiguration.getNWProtocolTLSOptions()
                 let tlsProvider = NIOTSClientTLSProvider(tlsOptions: parameters)
                 bootstrap = NIOClientTCPBootstrap(tsBootstrap, tls: tlsProvider)
             }
@@ -141,7 +107,7 @@ extension NIOClientTCPBootstrap {
         }
         return bootstrap
     }
-    
+
     static func makeHTTPClientBootstrapBase(
         on eventLoop: EventLoop,
         host: String,